CS代写 SWEN90010 – High Integrity

SWEN90010 – High Integrity
Systems Engineering Security Engineering: Threat Modelling

Copyright By PowCoder代写 加微信 powcoder

DMD 8.17 (Level 8, Doug McDonell Bldg)
http://people.eng.unimelb.edu.au/tobym @tobycmurray

SECURITY ENGINEERING:

THREAT MODELLING (C.F. HAZARD ANALYSIS)
See: Shostack, Threat modeling: Designing for security. Wiley, 2014 (Available as an ebook from the library: library.unimelb.edu.au)

Security: Review
Basic Security Properties:
3 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Security: Review
Basic Security Properties:
Confidentiality
3 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Security: Review
Basic Security Properties:
Confidentiality Integrity
3 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
Security: Review
Basic Security Properties:
Confidentiality Integrity Availability

Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
Security: Review
Basic Security Properties:
Confidentiality Integrity Availability Authentication

Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
Security: Review
Basic Security Properties:
Confidentiality Integrity Availability Authentication Non-Repudiation

Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
Security: Review
Basic Security Properties:
Confidentiality Integrity Availability Authentication Non-Repudiation
Access Control

Threat Modelling
5 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Threat Modelling trust boundary
5 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
Spoofing: pretending to be something or someone you are not
Tampering: modifying something you are not supposed to
Repudiation: claiming you didn’t do something
Information Disclosure: revealing information to people who are not supposed to see it
Denial of Service: crashing a system, making it too slow, exhausting its storage
Elevation of Privilege: being able to do something that, technically, you not allowed to do

7 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

pretending to be another customer
7 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

pretending
pretending to be another customer
to be your website (phishing attack)
7 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

pretending
pretending to be another customer
to be your website (phishing attack)
another site forging a link to one of your pages (e.g. placeorder.aspx) (CSRF attack)
7 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

8 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

8 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
tampering with database contents by offsite admin

tampering with data in transit
8 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
tampering with database contents by offsite admin

tampering with data in transit
website defacement
tampering with database contents by offsite admin
8 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Repudiation
9 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Repudiation
are there system logs?
9 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Repudiation
are there system logs?
Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
do they log the right information?

Repudiation
are there system logs?
Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
do they log the right information?
are they protected against tampering?

Information Disclosure
10 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Information Disclosure
what if somebody steals your TLS private key?
10 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Information Disclosure
offsite admin reads database
what if somebody steals your TLS private key?
10 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Information Disclosure
offsite admin reads database
what if somebody steals your TLS private key?
what if somebody steals your password file? (is it encrypted?)
10 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Denial of Service
11 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Denial of Service
what if your site gets slashdotted?
11 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Denial of Service
what if your site gets slashdotted?
what if the offsite db provider goes down?
11 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Elevation of Privilege
12 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Elevation of Privilege
Can customers connect directly to the business logic server?
12 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Elevation of Privilege
Can they issue web requests for other users’ content?
Can customers connect directly to the business logic server?
12 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Elevation of Privilege
Can they issue web requests for other users’ content?
Can customers connect directly to the business logic server?
Can others connect to the offsite db?
12 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

ATTACK TREES

Quickly, By Example Access the building
14 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Quickly, By Example Access the building
Go through the door
14 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Quickly, By Example Access the building
Go through
the door Go through the
14 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Quickly, By Example Access the building
Go through the door
Go through the window
Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
Go through the wall

Quickly, By Example Access the building
Go through the door
Go through the window
Some other way
Go through the wall
Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Quickly, By Example
Go through the door
Access the building
15 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
Go through the window
Go throug wall

Quickly, By Example
Go through the door
When it’s unlocked
Access the building
Go through the window
Go throug wall
15 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Quickly, By Example
Go through the door
When it’s unlocked
Access the building
Go through the window
Go throug wall
Drill the lock
15 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Quickly, By Example
Access the building
Go through the door
Go through the window
When it’s unlocked
Go throug wall
Drill the lock
Pick the lock
15 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Quickly, By Example
Access the building
Go through the door
Go through the window
Go throug wall
When it’s unlocked
Drill the lock
Pick the lock
15 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
Use the key

Quickly, By Example
Access the building
Go through the door
Go through the window
When it’s unlocked
Go throug wall
Drill the lock
Social engineering
Pick the lock
15 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
Use the key

Quickly, By Example ill the lock
Pick the lock
Use the key
Social engineering
16 Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
Go throug wall

Quickly, By Example ill the lock
Social engineering
Pick the lock
Use the key
Go throug wall
Copyright University of Melbourne 2016, provided under Creative Commons Attribution License
Find a key

Quickly, By Example ill the lock
Social engineering
Pick the lock
Use the key
Find a key
Steal a key
Go throug wall
Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Quickly, By Example ill the lock
Social engineering
Pick the lock
Use the key
Find a key
Steal a key
Photograph + reproduce
Go throug wall
Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Quickly, By Example ill the lock
Social engineering
Pick the lock
Use the key
Find a key
Steal a key
Photograph + reproduce
Go throug wall
Social engineer a key
Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

Quickly, By Example ill the lock
Social engineering
Pick the lock
Use the key
Find a key
Steal a key
Photograph + reproduce
Go throug wall
Social engineer a key
Copyright University of Melbourne 2016, provided under Creative Commons Attribution License

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com